Draft executive regulations to the Saudi Arabia data protection law

Background

The Saudi Data & Artificial Intelligence Authority (the SDAIA) has now published a much-awaited draft of the executive regulations (the Executive Regulations) to the Personal Data Protection Law Royal Decree M/19 of 9/2/1443H) (the Personal Data Protection Law). The Executive Regulations intend to build on the new Saudi Arabian personal data protection framework introduced by the Personal Data Protection Law. The Executive Regulations also provide some clarity on certain concepts contained in the Personal Data Protection Law ahead of the new law coming into force on 23 March 2022 (the Effective Date).

We strongly encourage data protection stakeholders to submit their thoughts and critiques of the Personal Data Protection Law and the Executive Regulations through the newly launched consultation administered by SDAIA. Submissions will close on 25 March 2022. Below we provide a summary of our thoughts on some of the key provisions in the Personal Data Protection Law and the Executive Regulations.

Application

The Personal Data Protection Law has broad extra-territorial effect and applies to: (i) personal data processed in the Kingdom of Saudi Arabia (KSA); and (ii) processing that takes place outside of the KSA where personal data relating to individuals residing in Saudi Arabia is being processed. Accordingly, organisations with a presence in Saudi Arabia will need to consider the application of the Personal Data Protection Law not only to their KSA-based entities but also to any foreign entities involved in the processing of personal data belonging to individuals residing in the KSA.

In addition to considering the potential for extra-jurisdictional application, in-Kingdom controllers may, in certain instances, need to simultaneously comply with multiple cybersecurity regimes. The Executive Regulations confirm our previous understanding that other KSA laws relating to cyber-security will continue to apply together with the Personal Data Protection Law. In particular, controllers must adhere to:

• all controls, standards and guidelines issued by the National Cybersecurity Authority; and
• international best practices and the best standards widely in use in relation to cybersecurity if the controller is located outside KSA.

Transfer of personal data outside of the KSA

Perhaps the most highly anticipated sections of the Executive Regulations pertain to cross-border data transfers outside of the KSA. In line with the general trend in the Middle East, and specifically the KSA, towards stronger data localisation requirements, the Personal Data Protection Law provides for a general prohibition on the transfer of personal data outside the KSA except where certain limited conditions are met, which include, amongst other things, obtaining written approval from the regulatory authority (i.e., the industry sector regulator). As expected, the Executive Regulations provide some additional details with respect to how such approvals to cross-border personal data transfers will be obtained but the proposed process is less than ideal. Not only must the controller conduct a privacy impact assessment, written approval from the regulatory authority will only be provided once the regulatory authority liaises with SDAIA on a case-by-case basis. The obvious concern here is the potential for delays and disruptions to operations caused by an overly burdensome application process.

Further, while the Executive Regulations provide that SDAIA will compile a list of jurisdictions providing an adequate level of protection for personal data (the Adequacy List), it is unclear whether it is the case that where a jurisdiction for which a controller seeks to transfer personal data is on the Adequacy List (i) the controller must still apply to the regulatory authority for approval, though the regulatory authority will no longer need to liaise with SDAIA on a case-by-case basis before approving the controller’s request, or (ii) the controller may proceed with the transfer without a need to apply for direct written approval from the regulatory authority or SDAIA . The foregoing aside, the Executive Regulations also does not indicate when the Adequacy List will be made available. As a result, those currently engaging in cross-border transfers of personal data may be required at first instance to undertake the formal approval process.

Consent & Legal Basis for Processing

Similar to the recently issued Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data of the United Arab Emirates (the UAE PDPL), consent is the primary lawful basis for processing under the Personal Data Protection Law. The Personal Data Protection Law does provide an enumerated list of instances where processing without the consent of the data subject will be permitted, however, these instances are quite limited, including circumstances where:

• the processing achieves a realised interest for the owner of the personal data and the contact with such owner is impossible or difficult to realise;
• processing is in accordance with another law or in implementation of a previous agreement to which the owner of the personal data is a party; or
• the controller is a public entity, and such processing is required for security purposes or to fulfil judicial requirements.

The Personal Data Protection Law in certain instances makes reference to a practical justification for collecting personal data which is undefined therein. The Executive Regulations now refer to the term Practical Need, defined as an actual need for processing personal data with fairness and integrity without conflicting the rights and expectations of the data subject. Given this definition, a Practical Need for processing appears to be the KSA’s equivalent of the legitimate interests ground – a basis commonly relied upon under established data protection regimes around the word such as the EU’s GDPR. However, the Executive Regulations does not detail the conditions for relying on Practical Need as a ground for processing. It is unclear, if and when such additional details will be provided.

In addition to the above, the Executive Regulations provide additional conditions with respect to the required form of consent which signals to us that KSA regulators require that consent is meaningful where it is the lawful basis for processing. For example, where a controller relies on implied consents, (i) the data subject must be clearly informed of the processing; (ii) it must not be reasonably possible to request explicit consent from the data subject; and (iii) the action of the personal data subject must clearly and unambiguously affirm its consent to processing. Organisations would, therefore, be well advised to reconsider their processes and procedures around obtaining consents, especially where implied consents are to be relied on as a basis for processing personal data under the Personal Data Protection Law.

Data Subject Rights

The Executive Regulations also provide additional details with respect to the individual rights of data subjects, which include:

• the right to be informed of certain details with respect to the processing of the data subject’s personal data (eg the purpose of processing and legal justification for processing);
• the right to be informed of, and object to, automated decision making; and
• the right to access, copy and request the correction or destruction of personal data.

Controllers to which the Personal Data Protection Law applies will, therefore, need to develop processes and procedures to give effect to these new individual rights and ensure their processors do the same.

Final remarks

As this is the KSA’s first comprehensive data protection law, we expect more clarifying details to filter through SDAIA over the coming months. We expect matters such as cross-border transfers and individual data subject access rights to remain at the forefront of the discussion in the interim. That said, the results of the consultation may be useful in identifying and plugging the gaps left by the Personal Data Protection Law and the Executive Regulations. In any event, businesses, especially those that depend on cloud services hosted outside the KSA, will need to think about taking the necessary steps to internally prepare for compliance with the new framework.